Remove package pycrypto

[slel]

In short: pycrypto is no longer maintained, but also no longer used in Sage.

We should stop shipping it.

If needed, pycryptodome could serve as a replacement.

More detail below.

---

In this sage-packaging discussion, François Bissey, who maintains
Sage-on-Gentoo, reports that

pycrypto is dead upstream and contains unfixed security bugs.

and considers removing it for Gentoo.

Antonio Rojas, who packages Sage for Arch Linux, says it was already
removed from Arch Linux:

AFAIK pycrypto wasn't used by sagenb itself, but only via twisted,
and they switched to cryptography in 16.0 [1]. Anyhow, secure
sagenb works fine here without pycrypto.

The latest pycrypto on PyPI
is release 2.6.1 from 17 Oct 2013.

This
message from Fri 21 Jul 2017 19:21:01 UTC
on the
pycrypto mailing list
reads:

As this project hasn't seen commits on master (or perhaps any branch)
in over three years, it appears to be dead.

However, pycryptodome is alive and well! It's a fork off the latest
pycrypto and contains many bugfixes, enhancements. Most importantly,
it's an ongoing project.

https://github.com/Legrandin/pycryptodome

https://www.pycryptodome.org/

There are two ways to install it: for a seamless experience I recommend
uninstalling pycrypto (if present) and installing pycryptodome.

(pycryptodomex has its uses for some, but would mean editing your
imports, whereas pycryptodome is a drop-in replacement for pycrypto.)

If you have issues with installing or using pycryptodome, there are
resources there to guide you and an active issue tracker as well.

CC: @antonio-rojas @fchapoton @cschwan @embray @kiwifb @timokau @infinity0 @novoselt @pcpa @saraedum @haraldschilly @slel @strogdon @tobihan @sagetrac-tmonteil @vbraun @williamstein

Component: packages: standard

Keywords: remove, package, pycrypto

Author: Erik Bray

Branch/Commit: b6aa427

Reviewer: Thierry Monteil

Issue created by migration from https://trac.sagemath.org/ticket/25844

[embray]

comment:1

+1 I don't think we should even provide a replacement. There shouldn't be packages in Sage-the-distribution that aren't even used by Sage, directly or indirectly.

[embray]

comment:2

It would be nice if we could do this for 8.3 since it will help packagers.

[timokau]

comment:3

Grepping through my source tree: I have pycrypto listed as a dependency of python-openid, which is a dependency of sagenb. Is that the dependency that is not actually used?

[embray]

Author: Erik Bray

[embray]

Commit: 5ca84d8

[embray]

Branch: u/embray/ticket-25844

[embray]

New commits:

5ca84d8

remove pycrypto; it is no longer maintained upstream, nor is it used by sage or any of its dependencies

[embray]

comment:5

Replying to @timokau:

Grepping through my source tree: I have pycrypto listed as a dependency of python-openid, which is a dependency of sagenb. Is that the dependency that is not actually used?

It's an optional dependency, and I think we're actually removing openid from sagenb as well, since it no longer works on Python 3.

[sagetrac-tmonteil]

Changed branch from u/embray/ticket-25844 to u/tmonteil/ticket-25844

[sagetrac-tmonteil]

comment:7

It is OK for me, you just forgot to remove the licensing informations about pycrypto. If you agree with this trivial change, you can set the ticket to positive_review.

---

New commits:

b6aa427

#25844 : remove pycrypto information from COPYING.txt

[sagetrac-tmonteil]

Changed commit from 5ca84d8 to b6aa427

[sagetrac-tmonteil]

Reviewer: Thierry Monteil

[timokau]

comment:8

If it wasn't used in sage in the first place and just stuff in build is modified, it shouldn't make a difference to packagers either way. We (at least I and pretty sure the others too) don't use anything from build/pkgs.

That doesn't mean I have anything against including this in 8.3, just clarifying.

[kiwifb]

comment:9

Replying to @timokau:

Grepping through my source tree: I have pycrypto listed as a dependency of python-openid, which is a dependency of sagenb. Is that the dependency that is not actually used?

Well in Gentoo python-openid doesn't depend on it. May be it is an optional runtime dependency?
In any case I am all for removing it now. Shaves a few bytes from the release tarball, smaller build/pkg folder what's not to love :)

[timokau]

comment:10

Yeah I agree. In nix the python-openid package wasn't accepted into the main tree anyways. It is only used as a dependency for sage(nb), since it has the same problem pycrypto has (unmaintained, known problems).

[embray]

comment:11

I even meant to check COPYING.txt but got distracted and forgot at the last second.

[videlec]

comment:12

update milestone 8.3 -> 8.4

[vbraun]

Changed branch from u/tmonteil/ticket-25844 to b6aa427